Deductive Software Verification – The KeY Book

Static analysis of software with deductive methods is a highly dynamic field of research on the verge of becoming a mainstream technology in software engineering. It consists of a large portfolio of - mostly fully automated - analyses: formal verification, test generation, security analysis, visualization, and debugging. All of them are realized in the state-of-art deductive verification framework KeY. This book is the definitive guide to KeY that lets you explore the full potential of deductive software verification in practice. It contains the complete theory behind KeY for active researchers who want to understand it in depth or use it in their own work. But the book also features fully self-contained chapters on the Java Modeling Language and on Using KeY that require nothing else than familiarity with Java. All other chapters are accessible for graduate students (M.Sc. level and beyond). The KeY framework is free and open software, downloadable from the book companion website which contains also all code examples mentioned in this book.

[1]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[2]  Reiner Hähnle,et al.  An Interactive Verification Tool Meets an IDE , 2014, IFM.

[3]  Reiner Hähnle,et al.  Integrated and Tool-Supported Teaching of Testing, Debugging, and Verification , 2009, TFM.

[4]  Christoph Scheben,et al.  Verification of Information Flow Properties of Java Programs without Approximations , 2011, FoVeOOS.

[5]  Bernhard Beckert,et al.  Dynamic Logic , 2007, The KeY Approach.

[6]  Arnd Poetzsch-Heffter,et al.  Specification and verification of object-oriented programs , 1997 .

[7]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[8]  Erik Poll,et al.  Tearing Java Cards , 2006 .

[9]  K. Rustan M. Leino,et al.  An Extended Static Checker for Modular-3 , 1998, CC.

[10]  Reiner Hähnle,et al.  Verified Resource Guarantees for Heap Manipulating Programs , 2012, FASE.

[11]  Gary T. Leavens,et al.  Preliminary Design of Larch/C++ , 1992, Larch.

[12]  K. Rustan M. Leino,et al.  ESC/Java User's Manual , 2000 .

[13]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[14]  Natarajan Shankar,et al.  PVS: Combining Specification, Proof Checking, and Model Checking , 1996, FMCAD.

[15]  Nathan Wasser Generating Specifications for Recursive Methods by Abstracting Program States , 2015, SETTA.

[16]  Christoph Scheben,et al.  Efficient Self-composition for Weakest Precondition Calculi , 2014, FM.

[17]  Bernhard Beckert,et al.  Under consideration for publication in Formal Aspects of Computing Refinement and Retrenchment for Programming Language Data Types , 2022 .

[18]  Peter H. Schmitt,et al.  Dynamic Frames in Java Dynamic Logic , 2010, FoVeOOS.

[19]  Maritta Heisel,et al.  Program Verification by Symbolic Execution and Induction , 1987, GWAI.

[20]  Marieke Huisman,et al.  Verifying Class Invariants in Concurrent Programs , 2014, FASE.

[21]  K. Rustan M. Leino,et al.  Object Invariants in Dynamic Contexts , 2004, ECOOP.

[22]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[23]  Reiner Hähnle,et al.  Symbolic Fault Injection , 2007, VERIFY.

[24]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[25]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[26]  Christoph Scheben,et al.  Program-level Specification and Deductive Verification of Security Properties , 2014 .

[27]  K. Rustan M. Leino,et al.  Practical Reasoning About Invocations and Implementations of Pure Methods , 2007, FASE.

[28]  Jean H. Gallier,et al.  Logic for Computer Science: Foundations of Automatic Theorem Proving , 1985 .

[29]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[30]  Mattias Ulbrich Dynamic Logic for an Intermediate Language: Verification, Interaction and Refinement , 2013 .

[31]  Jean-Christophe Filliâtre,et al.  Certification of Sorting Algorithms in the Coq System , 2007 .

[32]  Sophia Drossopoulou,et al.  The need for flexible object invariants , 2009, ECOOP 2009.

[33]  Peter Müller,et al.  Formal encoding of JML Level 0 specifications in Jive , 2007 .

[34]  André Platzer,et al.  Logical Analysis of Hybrid Systems - Proving Theorems for Complex Dynamics , 2010 .

[35]  Reiner Hähnle,et al.  Symbolic Execution Debugger (SED) , 2014, RV.

[36]  Z. Chen Java Card Technology for Smart Cards: Architecture and Programmer''s Guide. The Java Series. Addis , 2000 .

[37]  Patrice Chalin,et al.  JML Runtime Assertion Checking: Improved Error Reporting and Efficiency Using Strong Validity , 2008, FM.

[38]  Andreas Zeller,et al.  Why Programs Fail: A Guide to Systematic Debugging , 2005 .

[39]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[40]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[41]  Patrice Chalin,et al.  A Sound Assertion Semantics for the Dependable Systems Evolution Verifying Compiler , 2007, 29th International Conference on Software Engineering (ICSE'07).

[42]  Leslie Lamport,et al.  What Good is Temporal Logic? , 1983, IFIP Congress.

[43]  Shmuel S. Tyszberowicz,et al.  Specifying a Linked Data Structure in JML for Formal Verification and Runtime Checking , 2013, SBMF.

[44]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[45]  Bart Jacobs,et al.  The LOOP Compiler for Java and JML , 2001, TACAS.

[46]  Michael E. Fagan Design and Code Inspections to Reduce Errors in Program Development , 1976, IBM Syst. J..

[47]  Patrice Chalin,et al.  Improving JML: For a Safer and More Effective Language , 2003, FME.

[48]  Barbara Liskov,et al.  Data Abstraction and Hierarchy , 1987 .

[49]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[50]  Daniel M. Zimmerman,et al.  JMLUnit: The Next Generation , 2010, FoVeOOS.

[51]  Steffen Schlager Handling of Integer Arithmetic in the Verification of Java Programs , 2002 .

[52]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[53]  Todd Leavens Gary Verifying object-oriented programs that use subtypes , 1989 .

[54]  Reiner Hähnle,et al.  KeY-ABS: A Deductive Verification Tool for the Concurrent Modelling Language ABS , 2015, CADE.

[55]  David R. Cok,et al.  OpenJML: JML for Java 7 by Extending OpenJDK , 2011, NASA Formal Methods.

[56]  Zohar Manna,et al.  Logics of Programs , 1981, Lecture Notes in Computer Science.

[57]  Frank Piessens,et al.  Implicit dynamic frames , 2008, TOPL.

[58]  Nikolai Tillmann,et al.  Parameterized unit tests , 2005, ESEC/FSE-13.

[59]  K. Rustan M. Leino,et al.  Using data groups to specify and check side effects , 2002, PLDI '02.

[60]  Bernhard Beckert,et al.  Regression verification for Java using a secure information flow calculus , 2015, FTfJP@ECOOP.

[61]  Mattias Ulbrich,et al.  A Dynamic Logic for Unstructured Programs with Embedded Assertions , 2010, FoVeOOS.

[62]  Claude Marché,et al.  The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML , 2004, J. Log. Algebraic Methods Program..

[63]  John Mylopoulos,et al.  '. . . and nothing else changes': the frame problem in procedure specifications , 1993, Proceedings of 1993 15th International Conference on Software Engineering.

[64]  Bernhard Beckert,et al.  Must Program Verification Systems and Calculi Be Verified ? , 2022 .

[65]  Gary T. Leavens,et al.  Specification and verification of object-oriented programs using supertype abstraction , 1995, Acta Informatica.

[66]  Marieke Huisman,et al.  Formal Specifications for Java's Synchronisation Classes , 2014, 2014 22nd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[67]  André Platzer,et al.  Formal verification of distributed aircraft controllers , 2013, HSCC '13.

[68]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[69]  John McCarthy,et al.  Towards a Mathematical Science of Computation , 1962, IFIP Congress.

[70]  Daniel Grahl Formal Semantics for the Java Modeling Language , 2010, Informatiktage.

[71]  Gary T. Leavens,et al.  A Quick Overview of Larch/C++ , 1994, J. Object Oriented Program..

[72]  Wojciech Mostowski Dynamic Frames Based Verification Method for Concurrent Java Programs , 2015, VSTTE.

[73]  Abhik Roychoudhury,et al.  Past expression: encapsulating pre-states at post-conditions by means of AOP , 2013, AOSD.

[74]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[75]  José Meseguer,et al.  Formal Analysis of Java Programs in JavaFAN , 2004, CAV.

[76]  Daniel Bruns,et al.  Formal Specification with JML , 2014 .

[77]  John C. Reynolds User-defined types and procedural data structures as complementary approaches to data abstraction , 1994 .

[78]  K. Rustan M. Leino,et al.  Specification and verification , 2011, Commun. ACM.

[79]  Frank S. de Boer,et al.  Proof Pearl: The KeY to Correct and Stable Sorting , 2013, Journal of Automated Reasoning.

[80]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[81]  Christine Paulin-Mohring,et al.  Introduction to the Coq Proof-Assistant for Practical Software Verification , 2011, LASER Summer School.

[82]  Bernhard Beckert Taclets: A New Paradigm for Constructing Interactive Theorem Provers , 2004 .

[83]  Ralf Küsters,et al.  Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[84]  Erik Poll,et al.  VerifiCard: A European Project for Smart Card Verification , 2001 .

[85]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[86]  Eduard Kamburjan,et al.  Towards Fully Automatic Logic-Based Information Flow Analysis: An Electronic-Voting Case Study , 2016, POST.

[87]  Sumit Gulwani,et al.  From relational verification to SIMD loop synthesis , 2013, PPoPP '13.

[88]  Stephan Merz,et al.  Model Checking , 2000 .

[89]  Marieke Huisman,et al.  Verification of Concurrent Systems with VerCors , 2014, SFM.

[90]  C. A. R. Hoare,et al.  Verified Software: Theories, Tools, Experiments Vision of a Grand Challenge Project , 2005, VSTTE.

[91]  Reiner Hähnle,et al.  Can Formal Methods Improve the Efficiency of Code Reviews? , 2016, IFM.

[92]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[93]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[94]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[95]  Peter Müller,et al.  Reasoning About Method Calls in Interface Specifications , 2006, J. Object Technol..

[96]  J. Michael Spivey,et al.  Z Notation - a reference manual (2. ed.) , 1992, Prentice Hall International Series in Computer Science.

[97]  Peter H. Schmitt,et al.  A Computer-Assisted Proof of the Bellman-Ford Lemma , 2011 .

[98]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[99]  John McCarthy,et al.  Correctness of a compiler for arithmetic expressions , 1966 .

[100]  Anindya Banerjee,et al.  Regional Logic for Local Reasoning about Global Invariants , 2008, ECOOP.

[101]  Steven M. German,et al.  A Synthesizer of Inductive Assertions , 1975, IEEE Trans. Software Eng..

[102]  Bernhard Beckert,et al.  White-Box Testing by Combining Deduction-Based Specification Extraction and Black-Box Testing , 2007, TAP.

[103]  Benjamin Weiß,et al.  Deductive verification of object-oriented software: dynamic frames, dynamic logic and predicate abstraction , 2011 .

[104]  Thomas Baar Metamodels without Metacircularities , 2003, Obj. Logiciel Base données Réseaux.

[105]  Jonathan P. Bowen,et al.  Formalization of software testing criteria using the Z notation , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[106]  Rod M. Burstall,et al.  Program Proving as Hand Simulation with a Little Induction , 1974, IFIP Congress.

[107]  Kurt Stenzel Verification of Java card programs , 2005 .

[108]  Lei Yu,et al.  A Formal Model of IEEE Floating Point Arithmetic , 2013, Arch. Formal Proofs.

[109]  Trevor Jennings SPARK: the libre language and toolset for high-assurance software engineering , 2009, SIGAda.

[110]  Camilo Rueda,et al.  Translating B machines to JML specifications , 2012, SAC '12.

[111]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[112]  Frank Piessens,et al.  Expressive modular fine-grained concurrency specification , 2011, POPL '11.

[113]  Anindya Banerjee,et al.  Boogie Meets Regions: A Verification Experience Report , 2008, VSTTE.

[114]  Matthew B. Dwyer,et al.  Checking JML specifications using an extensible software model checking framework , 2006, International Journal on Software Tools for Technology Transfer.

[115]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[116]  Zvonimir Rakamaric,et al.  Hybrid learning: interface generation through static, dynamic, and symbolic analysis , 2013, ISSTA.

[117]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[118]  Bernhard Beckert,et al.  Formal Semantics of Model Fields in Annotation-Based Specifications , 2012, KI.

[119]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[120]  Ralf Sasse,et al.  Automatic Validation of Transformation Rules for Java Verification Against a Rewriting Semantics , 2005, LPAR.

[121]  Joeri de Ruiter,et al.  Designed to Fail: A USB-Connected Reader for Online Banking , 2012, NordSec.

[122]  David R. Cok Adapting JML to generic types and Java 1.6 , 2008 .

[123]  Michael Huth,et al.  Logic in computer science - modelling and reasoning about systems , 2000 .

[124]  Gilles Barthe,et al.  Precise analysis of memory consumption using program logics , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[125]  Gary T. Leavens,et al.  Extensions of the theory of observational purity and a practical design for JML , 2008 .

[126]  Daniel Bruns Specification of Red-black Trees: Showcasing Dynamic Frames, Model Fields and Sequences , 2011 .

[127]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.

[128]  Kristen Nygaard,et al.  The development of the SIMULA languages , 1978, SIGP.

[129]  Peter H. Schmitt,et al.  Axiomatization of Typed First-Order Logic , 2015, FM.

[130]  Matthew J. Parkinson,et al.  jStar: towards practical verification for java , 2008, OOPSLA.

[131]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[132]  Kent L. Beck,et al.  JUnit - pocket guide: quick lookup and advice , 2004 .

[133]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[134]  Bernhard Beckert,et al.  Lessons Learned From Microkernel Verification -- Specification is the New Bottleneck , 2012, SSV.

[135]  Elvira Albert,et al.  Test Data Generation of Bytecode by CLP Partial Evaluation , 2008, LOPSTR.

[136]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[137]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[138]  Bernhard Beckert,et al.  An Extension of Dynamic Logic for Modelling OCL's @pre Operator , 2001, Ershov Memorial Conference.

[139]  K. R Leino,et al.  Towards Reliable Modular Programs , 1995 .

[140]  Thomas Tuerk,et al.  A Formalisation of Smallfoot in HOL , 2009, TPHOLs.

[141]  Gary T. Leavens,et al.  Weak behavioral subtyping for types with mutable objects , 1995, MFPS.

[142]  Frank S. de Boer,et al.  Abstract Object Creation in Dynamic Logic , 2009, FM.

[143]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[144]  Marieke Huisman,et al.  A Symbolic Approach to Permission Accounting for Concurrent Reasoning , 2015, 2015 14th International Symposium on Parallel and Distributed Computing.

[145]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[146]  David von Oheimb Analyzing Java in Isabelle-HOL: formalization, type safety and Hoare logic , 2001 .

[147]  Peter H. Schmitt,et al.  Integrierter Deduktiver Software-Entwurf , 1998, Künstliche Intell..

[148]  Reiner Hähnle,et al.  Many-Valued Logic, Partiality, and Abstraction in Formal Specification Languages , 2005, Log. J. IGPL.

[149]  Reiner Hähnle,et al.  Generating Unit Tests from Formal Proofs , 2007, TAP.

[150]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[151]  Bernhard Beckert,et al.  The KeY Approach for the Cryptographic Verification of JAVA Programs: A Case Study , 2012 .

[152]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[153]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[154]  Jean-Louis Lanet,et al.  JACK - A Tool for Validation of Security and Behaviour of Java Applications , 2006, FMCO.

[155]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[156]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[157]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[158]  Gary T. Leavens,et al.  Modular specification of frame properties in JML , 2003, Concurr. Comput. Pract. Exp..

[159]  J. Paris,et al.  Accessible Independence Results for Peano Arithmetic , 1982 .

[160]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[161]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes , 2009, IEEE Transactions on Information Forensics and Security.

[162]  Erik Poll,et al.  Verifying JML specifications with model fields , 2003 .

[163]  Bertrand Meyer,et al.  Flexible Invariants through Semantic Collaboration , 2013, FM.

[164]  Daniel Grahl Deductive Verification of Concurrent Programs and its Application to Secure Information Flow for Java , 2015 .

[165]  Robert Kohl Specifying Software A Hands On Introduction , 2016 .

[166]  Martin Giese,et al.  Taclets and the KeY Prover , 2004, UITP@TPHOLs.

[167]  Daniel M. Zimmerman,et al.  Modularizing crosscutting contracts with AspectJML , 2014, MODULARITY.

[168]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[169]  Gary T. Leavens,et al.  Behavioral Subtyping is Equivalent to Modular Reasoning for Object-oriented Programs , 2006 .

[170]  Jim Gray,et al.  Why Do Computers Stop and What Can Be Done About It? , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[171]  Reiner Hähnle,et al.  Abstract Interpretation of Symbolic Execution with Explicit State Updates , 2009, FMCO.

[172]  Daniel Jackson,et al.  Alloy: A Logical Modelling Language , 2003, ZB.

[173]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[174]  Zoltán Micskei,et al.  Evaluating Symbolic Execution-Based Test Tools , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[175]  Yoonsik Cheon Automated Random Testing to Detect Specification-Code Inconsistencies , 2007, SETP.

[176]  Bernhard Steffen,et al.  Learning register automata: from languages to program structures , 2014, Machine Learning.

[177]  Farhad Mehta,et al.  Efficient Well-Definedness Checking , 2008, IJCAR.

[178]  Bernhard Beckert,et al.  A Hybrid Approach for Proving Noninterference of Java Programs , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[179]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[180]  C. A. R. Hoare,et al.  Proof of a Recursive Program: Quicksort , 1971, Comput. J..

[181]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[182]  Jeannette M. Wing,et al.  Specifications and Their Use in Defining Subtypes , 1995, ZUM.

[183]  Raymond T. Boute,et al.  Calculational semantics: Deriving programming theories from equations by functional predicate calculus , 2006, TOPL.

[184]  Gary T. Leavens,et al.  Concepts of behavioral subtyping and a sketch of their extension to component-based systems , 2000 .

[185]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[186]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[187]  David R. Cok,et al.  Reasoning with specifications containing method calls and model fields , 2005, J. Object Technol..

[188]  Benjamin Weiβ,et al.  Predicate abstraction in a program logic calculus , 2011 .

[189]  Joshua J. Bloch Effective Java : programming language guide , 2001 .

[190]  Éric Tanter,et al.  Processing , 1988 .

[191]  M. V. Wilkes,et al.  The Art of Computer Programming, Volume 3, Sorting and Searching , 1974 .

[192]  Daniel Kroening,et al.  CBMC - C Bounded Model Checker - (Competition Contribution) , 2014, TACAS.

[193]  Bernhard Beckert,et al.  The Approach: Integrating Object-oriented Design and Formal Verification (cid:3) , 2007 .

[194]  Patrice Chalin,et al.  Reducing the use of nullable types through non-null by default and monotonic non-null , 2008, IET Softw..

[195]  Christian Sternagel Proof Pearl—A Mechanized Proof of GHC’s Mergesort , 2012, Journal of Automated Reasoning.

[196]  Philipp Rümmer,et al.  Proving and Disproving in Dynamic Logic for Java , 2006 .

[197]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[198]  Corina S. Pasareanu,et al.  Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis , 2013, Automated Software Engineering.

[199]  Christian Engel A Translation from JML to JavaDL , 2005 .

[200]  David Harel,et al.  First-Order Dynamic Logic , 1979, Lecture Notes in Computer Science.

[201]  Reiner Hähnle,et al.  Visualizing Unbounded Symbolic Execution , 2014, TAP@STAF.

[202]  Erik Poll,et al.  Reasoning about Card Tears and Transactions in Java Card , 2004, FASE.

[203]  Reiner Hähnle,et al.  A visual interactive debugger based on symbolic execution , 2010, ASE '10.

[204]  Niklaus Wirth,et al.  Modula: A language for modular multiprogramming , 1977, Softw. Pract. Exp..

[205]  K. Rustan M. Leino,et al.  A Verification Methodology for Model Fields , 2006, ESOP.

[206]  Bernhard K. Aichernig,et al.  Survey on test data generation tools , 2013, International Journal on Software Tools for Technology Transfer.

[207]  Frank Piessens,et al.  Verification of unloadable C modules (Extended version) , 2011 .

[208]  Vladimir Klebanov,et al.  Pseudo-Random Number Generator Verification: A Case Study , 2015, VSTTE.

[209]  Nadia Polikarpova,et al.  Formal Aspects of Computing Formal Aspects of Computing A fully verified container library , 2017 .

[210]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[211]  Patrice Chalin,et al.  Towards an industrial grade IVE for Java and next generation research platform for JML , 2010, International Journal on Software Tools for Technology Transfer.

[212]  Akinori Yonezawa,et al.  Proving Compiler Correctness in a Mechanized Logic R. Milner and R. Weyhrauch , 1974 .

[213]  Christoph Gladisch Verification-based software-fault detection , 2011 .

[214]  Nikolai Kosmatov,et al.  Automating structural testing of C programs: Experience with PathCrawler , 2009, 2009 ICSE Workshop on Automation of Software Test.

[215]  K. Gödel Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I , 1931 .

[216]  Bernhard Beckert,et al.  Evaluating the Usability of Interactive Verification Systems , 2012, COMPARE.

[217]  Gabriele Paganelli,et al.  Real-time Java API specifications for high coverage test generation , 2012, JTRES '12.

[218]  Reiner Hähnle,et al.  KeY-C: A Tool for Verification of C Programs , 2007, CADE.

[219]  Hong Zhu,et al.  Software unit test coverage and adequacy , 1997, ACM Comput. Surv..

[220]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[221]  Christian Hammer Information flow control for Java: a comprehensive approach based on path conditions in dependence graphs , 2009 .

[222]  Jean-Christophe Filliâtre,et al.  The spirit of ghost code , 2014, Formal Methods Syst. Des..

[223]  Elvira Albert,et al.  The ABS tool suite: modelling, executing and analysing distributed adaptable object-oriented systems , 2012, International Journal on Software Tools for Technology Transfer.

[224]  Vladimir Klebanov,et al.  Relational Program Reasoning Using Compiler IR , 2016, VSTTE.

[225]  Jacques Stern,et al.  Why Provable Security Matters? , 2003, EUROCRYPT.

[226]  Bernhard Beckert,et al.  Dynamic logic with non-rigid functions a basis for object-oriented program verification , 2006 .

[227]  Yoonsik Cheon,et al.  A Runtime Assertion Checker for the Java Modeling Language (JML) , 2003, ICSE 2003.

[228]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[229]  Wojciech Mostowski,et al.  Formal Reasoning About Non-atomic Java Card Methods in Dynamic Logic , 2006, FM.

[230]  Markus Wagner,et al.  A Metric for Testing Program Verification Systems , 2013, TAP@STAF.

[231]  Reiner Hähnle,et al.  Program Transformation Based on Symbolic Execution and Deduction , 2013, SEFM.

[232]  Richard Bubel,et al.  Dependency-Based Information Flow Analysis with Declassification in a Program Logic , 2015, ArXiv.

[233]  Reiner Hähnle,et al.  Automating Verification of Loops by Parallelization , 2006, LPAR.

[234]  Luciano Baresi,et al.  An Introduction to Software Testing , 2006, FoVMT.

[235]  Jürgen Graf,et al.  Using JOANA for Information Flow Control in Java Programs - A Practical Guide , 2013, Software Engineering.

[236]  Gordon J. Pace,et al.  A Specification Language for Static and Runtime Verification of Data and Control Properties , 2015, FM.

[237]  Kerry Trentelman,et al.  Proving correctness of JavaCard DL taclets using Bali , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[238]  Bart Jacobs,et al.  Formal methods for smart cards: an experience report , 2005, Sci. Comput. Program..

[239]  Martin Giese A Calculus for Type Predicates and Type Coercion , 2005, TABLEAUX.

[240]  Patrice Chalin,et al.  Non-null references by default in the Java modeling language , 2006, SAVCBS '05.

[241]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[242]  Raymond Klefstad,et al.  A Survey of Worst-Case Execution Time Analysis for Real-Time Java , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[243]  Reiner Hähnle,et al.  A Formalisation of Java Strings for Program Specification and Verification , 2011, SEFM.

[244]  Lars Birkedal,et al.  Verifying Object-Oriented Programs with Higher-Order Separation Logic in Coq , 2011, ITP.

[245]  Anindya Banerjee,et al.  Decision Procedures for Region Logic , 2012, VMCAI.

[246]  Bernhard Beckert,et al.  A Program Logic for Handling JAVA CARD's Transaction Mechanism , 2003, FASE.

[247]  Michael Kirsten Proving Well-Definedness of JML Specifications with KeY , 2013 .

[248]  Wojciech Mostowski,et al.  Fully Verified Java Card API Reference Implementation , 2007, VERIFY.

[249]  Marieke Huisman,et al.  The VerCors Tool for Verification of Concurrent Programs , 2014, FM.

[250]  Frank Piessens,et al.  An Automatic Verifier for Java-Like Programs Based on Dynamic Frames , 2008, FASE.

[251]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[252]  Philipp Rümmer,et al.  Ensuring the Correctness of Lightweight Tactics for JavaCard Dynamic Logic , 2008, Electron. Notes Theor. Comput. Sci..

[253]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[254]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[255]  Nikolai Kosmatov,et al.  How Test Generation Helps Software Specification and Deductive Verification in Frama-C , 2014, TAP@STAF.

[256]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[257]  Peter H. Schmitt,et al.  Provably correct loops bounds for realtime Java programs , 2006, JTRES '06.

[258]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[259]  Reiner Hähnle,et al.  A Hoare-Style Calculus with Explicit State Updates , 2008, FM'08 2008.

[260]  Robert Geisler,et al.  InterACT: An Interactive Theorem Prover for Algebraic Specifications , 1996, AMAST.

[261]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[262]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[263]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[264]  Gary T. Leavens,et al.  Protective Interface Specifications , 1997, TAPSOFT.

[265]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[266]  Ulrik Pagh Schultz,et al.  Automatic program specialization for Java , 2000, TOPL.

[267]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[268]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[269]  Sven Apel,et al.  Detecting Dependences and Interactions in Feature-Oriented Design , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[270]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[271]  Simon L. Peyton Jones,et al.  Roadmap for enhanced languages and methods to aid verification , 2006, GPCE '06.

[272]  S. Stepney,et al.  The certification of the Mondex electronic purse to ITSEC Level E6 , 2007, Formal Aspects of Computing.

[273]  Wojciech Mostowski,et al.  Formalisation and Verification of Java Card Security Properties in Dynamic Logic , 2005, FASE.

[274]  Gary T. Leavens,et al.  Desugaring JML Method Specifications , 2005 .

[275]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[276]  Néstor Cataño,et al.  CHASE: A Static Checker for JML's Assignable Clause , 2002, VMCAI.

[277]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[278]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[279]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[280]  Reiner Hähnle,et al.  Fully Abstract Operation Contracts , 2014, ISoLA.

[281]  Jan Smans,et al.  Verification of Concurrent Programs with Chalice , 2009, FOSAD.

[282]  Bertrand Meyer,et al.  From Structured Programming to Object-Oriented Design: The Road to Eiffel , 1989, Struct. Program..

[283]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[284]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[285]  Myra B. Cohen,et al.  An orchestrated survey of methodologies for automated software test case generation , 2013, J. Syst. Softw..

[286]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[287]  James Gosling,et al.  The Real-Time Specification for Java , 2000, Computer.

[288]  Andreas Roth,et al.  Specification and verification of object oriented software components , 2006 .

[289]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[290]  Marieke Huisman,et al.  The VerCors project: setting up basecamp , 2012, PLPV '12.

[291]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.

[292]  Vaughan R. Pratt,et al.  SEMANTICAL CONSIDERATIONS ON FLOYD-HOARE LOGIC , 1976, FOCS 1976.

[293]  B. Jacobs,et al.  A tutorial on (co)algebras and (co)induction , 1997 .

[294]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[295]  Ran Ji,et al.  Sound programm transformation based on symbolic execution and deduction , 2014 .

[296]  Gary T. Leavens,et al.  Specification and verification challenges for sequential object-oriented programs , 2007, Formal Aspects of Computing.

[297]  Vladimir Klebanov,et al.  Automating regression verification , 2014, Software Engineering & Management.

[298]  Jean-Louis Lanet,et al.  Java Applet Correctness: A Developer-Oriented Approach , 2003, FME.

[299]  Erik Poll,et al.  Malicious Code on Java Card Smartcards: Attacks and Countermeasures , 2008, CARDIS.

[300]  A. Mostowski On a generalization of quantifiers , 1957 .

[301]  Jörn Müller-Quade,et al.  Enhancing Electronic Voting Machines on the Example of Bingo Voting , 2009, IEEE Transactions on Information Forensics and Security.

[302]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[303]  Elmar Habermalz Ein dynamisches automatisierbares interaktives Kalkül für schematische theoriespezifische Regeln , 2000 .

[304]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[305]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[306]  Nikolai Tillmann,et al.  XRT- Exploring Runtime for .NET Architecture and Applications , 2006, Electron. Notes Theor. Comput. Sci..

[307]  Zohar Manna,et al.  The calculus of computation - decision procedures with applications to verification , 2007 .

[308]  Patrice Chalin,et al.  JML Support for Primitive Arbitrary Precision Numeric Types: Definition and Semantics , 2004, J. Object Technol..

[309]  Reiner Hähnle,et al.  Exploit Generation for Information Flow Leaks in Object-Oriented Programs , 2015, SEC.

[310]  Crystal Chang Din Verification of Asynchronously Communicating Objects , 2014 .

[311]  Jos Warmer,et al.  The object constraint language , 1998 .

[312]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[313]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[314]  Bart Jacobs,et al.  Java Program Verification Challenges , 2002, FMCO.

[315]  Vladimir Klebanov,et al.  Precise quantitative information flow analysis - a symbolic approach , 2014, Theor. Comput. Sci..

[316]  D. Gabbay,et al.  Handbook of Philosophical Logic, Volume II. Extensions of Classical Logic , 1986 .

[317]  Claude Marché,et al.  Verification of JAVA CARD Applets Behavior with Respect to Transactions and Card Tears , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[318]  Dermot Cochran,et al.  The KOA Remote Voting System: A Summary of Work to Date , 2006, TGC.

[319]  Richard Bubel,et al.  Formal verification of recursive predicates , 2007 .

[320]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[321]  Bernhard Beckert,et al.  Information Flow in Object-Oriented Software , 2013, LOPSTR.

[322]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.